I always looked at risk management activities using the event-driven risk approach offered by the current project management traditions.Perhaps because of this, I've never paid so much attention on this topic before, as I am doing now.
Flying back to Brazil from the conference in Miami, I had the opportunity to read the amazing piece of text that David Anderson wrote about Risk Management on the proceeding book of the conference. After that, I've started to think about risks in a different dimension. Now, I’m diving on this conclusion:
Mutual Trust Relationships can be sustained by intrinsic risk management mechanisms.
There is definitely something more in dealing with risks than just trying to create mitigation and contingency plans up-front.
To be relevant, risk management has to be merged into the system to orchestrate his behavior.
I have this feeling today that any decision point in a process should be oriented by some risk analysis approach. I’m not talking about a plan for risk mitigation here; I’m talking about a process for continuous risk mitigation. Is that possible?
In David's article, he describes a technique that uses Classes of Service (CoS) as an instrument to make the system works oriented to risk decisions according Cost of Delay. So, before you inject new work into the system you are conditioned to think about risks, once you have to classify each work item by doing an analysis of the associated Cost of Delay. The type of risk is going to influence behavior by the application of different contextual policies. Pure System Thinking!
Labeling work items is a interesting mechanism to influence system behavior. If you use an e-mail system like Gmail you can see that in practice. When you decide to tag messages by some form of classification, you define a visual agreement mechanism that is able to influence your behavior. You are going to act differently when you see a message with a special tag type.
What David is proposing is labeling work items by risk criteria, which is going to subordinate the system to be risk-oriented, a fundamental part of self-sustainable processes. So that's why David's article got my attention in the conference book. Explicit Risk Management is missing in our process. We have to figure it out how to apply this knowledge on it.
In our process, we have a different use for Classes of Services.
Instead of thinking about the risk, we are thinking about Value mapped to agreements that we need to respect as we interact with our customers.
We talk to them in these terms:
“You (the customer) should trust us (the vendor) as we will try very hard to keep your business up and running by solving any problem (1) that you have or by helping you in any operation (2) that you need assistance from us; we also are going to sustain your processes by doing improvements and adaptations (3) as your business evolve and, while we do that, we are constantly trying to deliver new features and capabilities in our software to create new business opportunities (4) that generates value for you in your market share.”
This “Agreement Statement” maps to our Classes of Services (CoS):
1 - Problem solving
2 - Support and Operations
3 - Improvements for sustainability
4 - New Value
The intention of our "Agreement Statement" is to create a Mutual Trust Relationship with them by being flexible with their needs and getting flexibility from them for our needs (which are mainly estimation, prioritization, error tolerance, and others). So, all units of work derived from this CoS have Value for the customer. But the lack of any of this agreement can make the long term relationship that we aim becomes unstable.
We need to create balance by delivering units of work observing the system against this "Agreement Statement". During this observation we have to consider each individual customer and the whole system to make right decisions.
We have an assumption here which is based on the fact that we have different entities of our system competing by the same (and limited) resource. So they have to trust us that we are going to take the best decision considering this "invisible" competition that is happening in background. This decision process is all about "risk analysis.”
So, Risk Management is an important activity to create effectiveness on this decision process. An effective decision process creates trust, and high levels of efficiency on risk control leads to high levels of trust on this relationship.
Using CoS as David suggests seems to be a quite reasonable approach, once CoS is the primary way to classify units of work in Kanban Systems. But, I’ve realized an underlying model for managing risks here, which are leading us to the definition of a new orthogonal ax in our system for risk-oriented work items classification and also for risk-oriented policies. Merging risk analysis into our system to influence its behaviors is going to be my next challenge for now.